search

OneKeyHQ / app-monorepo

Secure, open source and community driven crypto wallet runs on all platforms and trusted by millions.
https://onekey.so
Other
1.99k stars 378 forks source link

[QUESTION] How onekey calculates tokens security risks based on what? #4427

Open Mustafa-Agha opened 7 months ago

Mustafa-Agha commented 7 months ago

I see that, in the app you calculate tokens security risk based on riskLevel which is :-

enum TokenRiskLevel {
  UNKNOWN = 0,
  VERIFIED = 1,
  WARN,
  DANGER,
}

but how do you determine if it's VERIFIED or WARN or DANGER from api.gopluslabs.io

For example if I called the following for USDT in chain-id = 1

then the response will be the following :-

{
  "code": 1,
  "message": "ok",
  "result": {
    "contract_name": "TetherToken",
    "tag": "USDT",
    "is_contract": 1,
    "creator_address": "0x36928500bc1dcd7af6a2b4008875cc336b927d57",
    "deployed_time": 1511829681,
    "is_open_source": 1,
    "is_proxy": 0,
    "trust_list": 1,
    "doubt_list": 0,
    "malicious_behavior": [

    ],
    "contract_scan": {
      "owner": {
        "owner_name": "owner",
        "owner_address": "0xc6cde7c39eb2f0f0095f41570af89efc2c1ea828",
        "owner_type": "contract"
      },
      "privilege_withdraw": 0,
      "withdraw_missing": 0,
      "blacklist": 1,
      "selfdestruct": 0,
      "approval_abuse": 0
    },
    "risky_approval": {
      "risk": null,
      "value": 0
    }
  }
}

And if you use the same api to call QNT with riskLevel = 0

You'll get the response :-

{
  "code": 1,
  "message": "ok",
  "result": {
    "contract_name": "StandardToken",
    "tag": null,
    "is_contract": 1,
    "creator_address": "0xf5e38bbedc78efea055e0c56035adb320e64c4bc",
    "deployed_time": 1523044361,
    "is_open_source": 1,
    "is_proxy": 0,
    "trust_list": 0,
    "doubt_list": 0,
    "malicious_behavior": [

    ],
    "contract_scan": {
      "owner": {
        "owner_name": "balances[msg.sender]",
        "owner_type": "multi-address"
      },
      "privilege_withdraw": 0,
      "withdraw_missing": 0,
      "blacklist": 0,
      "selfdestruct": 0,
      "approval_abuse": 0
    },
    "risky_approval": {
      "risk": null,
      "value": 0
    }
  }
}

And if you use the same api to call cUSDC with riskLevel = 2

You'll get the response :-

{
  "code": 1,
  "message": "ok",
  "result": {
    "contract_name": "CErc20",
    "tag": null,
    "is_contract": 1,
    "creator_address": "0xa7ff0d561cd15ed525e31bbe0af3fe34ac2059f6",
    "deployed_time": 1557192331,
    "is_open_source": 1,
    "is_proxy": 0,
    "trust_list": 0,
    "doubt_list": 0,
    "malicious_behavior": [

    ],
    "contract_scan": {
      "owner": {
        "owner_name": "address(0)"
      },
      "privilege_withdraw": 0,
      "withdraw_missing": 0,
      "blacklist": 0,
      "selfdestruct": 0,
      "approval_abuse": 0
    },
    "risky_approval": {
      "risk": null,
      "value": 0
    }
  }
}

From the above response how do you determine the risk_level ?

qwang1113 commented 7 months ago

Hey, @Mustafa-Agha the api that you show is token_approval_security, but the one we actually use is token_security. We determine the specific risk level of a token based on certain fields in the returned content.

Mustafa-Agha commented 7 months ago

Based on the response from token_securtiy On which criteria do you use to get the 4 riskLevel?

I think it should be in documentation so that we understand the criteria better and why a token is risky and other is not?